s3proxy: add keyservice integration

Encrypt each object with a random DEK and attach the encrypted DEK as object metadata. Encrpt the DEK with a key from the keyservice. All objects use the same KEK until a keyrotation takes place.
2025-05-06 08:15:48 -04:00 · 2023-10-02 09:00:38 +02:00 · 2023-10-02 09:00:38 +02:00 · 887dcda78b
commit 887dcda78b
parent a7ceda37ea
15 changed files with 414 additions and 71 deletions
--- a/s3proxy/internal/router/router_test.go
+++ b/s3proxy/internal/router/router_test.go
@ -46,3 +46,42 @@ func TestValidateContentMD5(t *testing.T) {
 		})
 	}
 }
+
+func TestByteSliceToByteArray(t *testing.T) {
+	tests := map[string]struct {
+		input   []byte
+		output  [32]byte
+		wantErr bool
+	}{
+		"empty input": {
+			input:  []byte{},
+			output: [32]byte{},
+		},
+		"successful input": {
+			input:  []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"),
+			output: [32]byte{0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41},
+		},
+		"input too short": {
+			input:   []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"),
+			output:  [32]byte{0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41},
+			wantErr: true,
+		},
+		"input too long": {
+			input:   []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"),
+			output:  [32]byte{0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41},
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			result, err := byteSliceToByteArray(tc.input)
+			if tc.wantErr {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.Equal(t, tc.output, result)
+		})
+	}
+}